With the release of Windows 95, Microsoft changed the way hardware configurations, operating system software, system preferences and user settings were stored. They introduced a centralized hierarchical database which we call “the registry”. Initially it was introduced to chuck away the INI files mess. The hierarchy separates the user information, machine information and software information into various logical units so that it can be manipulated easily. When Windows starts, registry is crawled to get configuration data regarding software, hardware and other system peripherals which have been configured. Physically, the registry information is stored in multiple files in \system32\config folder of the operating system, the names of some of the registry files being Sam, Sam.log, Sam.sav, Security, Security.log, Security.sav These files cannot be directly edited and we need registry editing program like “regedit” for that, which comes bundled with windows.
The Registry is a hierarchical structure similar to directory/file tree in the computer. It is divided into six main branches called ‘hives’. Each of these hives contains keys, sub-keys and may contain further sub-keys. Each key/ sub-key contains a value. Any information regarding software is stored in these values. Key values are mainly of three types namely String, Binary, and DWORD. String values are used for human readable text entries, binary values for hardware and device settings; DWORD values are used for Boolean entries, where we have a list of choices to make.
Hives are the topmost portions of the hierarchical data tree. Each Hive contains a certain category of information. Depending on the version of Windows running there will be 5 or 6 different hives. These six hives are: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG, and HKEY_DYN_DATA. HKEY_CLASSES_ROOT contains all information related to file associations, shortcuts, Windows user interface and OLE (object linking and embedding) information. HKEY_CURRENT_USER contains all information regarding preferences and configuration for the particular user who is currently logged in. it includes information such as desktop settings, logon names and other user-specific information. HKEY_LOCAL_MACHINE contains the configuration for the actual computer. It contains all the information regarding hardware, software and all the PC specific preferences that are common to all users who log in to that very specific machine. HKEY_USERS contains information for all the users that have ever logged onto that specific computer. Each specific user is identified by a unique security identifier called the SID. All information regarding every user who has ever logged in is stored under SID and is copied to HKEY_CURRENT_USER at login. HKEY_CURRENT_CONFIG contains the information about current hardware configuration. When the system starts, this information is merged to HKEY_LOCAL_MACHINE hive. This information is not stored and is regenerated every time the computer boots up. HKEY_DYN_DATA contains all data regarding plug and play devices and is linked to portions of HKEY_LOCAL_MACHINE. The information is not stored and is regenerated every time system starts up.
Hives contain keys and sub-keys which can contain values or sub-keys. Keys are the organizational part of Windows registry. They are similar to folders and can contain further sub-keys or the file which we call values. Values contain the actual data that is being stored in a Key or a Sub-key. These values are primarily of three types: string, binary and DWORD. The string type values are of three types: REG_SZ which is standard string used to display human-readable text. REG_EXPAND_SZ, which is an expandable data string, permits storage of values that can be replaced by actual values by the application calling the key. REG_MULTI_SZ is used to store lists or multiple values, each entry being separated by a NULL character. A binary value is used to store information as raw binary data and is used for hardware components. A DWORD is four bytes in length. It is used by device drivers and various services to toggle between various options.
Windows registry plays an important role in keeping the computer safe and secure. Modifying any part of the registry must be done with utmost care as a wrong value can make the computer inoperable.
The Registry is a hierarchical structure similar to directory/file tree in the computer. It is divided into six main branches called ‘hives’. Each of these hives contains keys, sub-keys and may contain further sub-keys. Each key/ sub-key contains a value. Any information regarding software is stored in these values. Key values are mainly of three types namely String, Binary, and DWORD. String values are used for human readable text entries, binary values for hardware and device settings; DWORD values are used for Boolean entries, where we have a list of choices to make.
Hives are the topmost portions of the hierarchical data tree. Each Hive contains a certain category of information. Depending on the version of Windows running there will be 5 or 6 different hives. These six hives are: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG, and HKEY_DYN_DATA. HKEY_CLASSES_ROOT contains all information related to file associations, shortcuts, Windows user interface and OLE (object linking and embedding) information. HKEY_CURRENT_USER contains all information regarding preferences and configuration for the particular user who is currently logged in. it includes information such as desktop settings, logon names and other user-specific information. HKEY_LOCAL_MACHINE contains the configuration for the actual computer. It contains all the information regarding hardware, software and all the PC specific preferences that are common to all users who log in to that very specific machine. HKEY_USERS contains information for all the users that have ever logged onto that specific computer. Each specific user is identified by a unique security identifier called the SID. All information regarding every user who has ever logged in is stored under SID and is copied to HKEY_CURRENT_USER at login. HKEY_CURRENT_CONFIG contains the information about current hardware configuration. When the system starts, this information is merged to HKEY_LOCAL_MACHINE hive. This information is not stored and is regenerated every time the computer boots up. HKEY_DYN_DATA contains all data regarding plug and play devices and is linked to portions of HKEY_LOCAL_MACHINE. The information is not stored and is regenerated every time system starts up.
Hives contain keys and sub-keys which can contain values or sub-keys. Keys are the organizational part of Windows registry. They are similar to folders and can contain further sub-keys or the file which we call values. Values contain the actual data that is being stored in a Key or a Sub-key. These values are primarily of three types: string, binary and DWORD. The string type values are of three types: REG_SZ which is standard string used to display human-readable text. REG_EXPAND_SZ, which is an expandable data string, permits storage of values that can be replaced by actual values by the application calling the key. REG_MULTI_SZ is used to store lists or multiple values, each entry being separated by a NULL character. A binary value is used to store information as raw binary data and is used for hardware components. A DWORD is four bytes in length. It is used by device drivers and various services to toggle between various options.
Windows registry plays an important role in keeping the computer safe and secure. Modifying any part of the registry must be done with utmost care as a wrong value can make the computer inoperable.
